Heart-Device Hacking Risks Seen

Medical devices that control the human heart may need safeguards to protect against remote-control hacking that could deliver electrical shocks to patients, researchers said.

Millions of Americans have pacemakers, which keeps hearts beating regularly, or an implanted defibrillator, which can restart stopped hearts with an electric jolt. After implanting a defibrillator under a patient's skin, a doctor uses a special device, about the size of a breadbox, to tell the defibrillator what to do -- for example, to instruct it to keep the heart beating at a certain rate or deliver a test jolt.

The devices, called programmers, communicate with a defibrillator using radio waves. To prevent tampering, only physicians are allowed to buy one from the manufacturers -- Medtronic Inc.,Boston Scientific Corp., and St. Jude Medical Inc.

But hackers could transmit the same radio signals -- causing a defibrillator to shock or shut down, or divulge a patient's medical information -- without needing a programmer, researchers found in a laboratory test of one model from Medtronic.

The study, to be presented at a California computer-security conference in May, suggests manufacturers should consider how to stop unauthorized people from tampering with implanted medical devices that receive instructions via radio waves, a growing category that also includes spinal-cord stimulators and drug-delivery pumps.

"This report demonstrates that you can obtain private information without authorization. You can reprogram the device without authorization," said William Maisel, a Harvard Medical School cardiologist and a co-author. But he cautioned that "our report is a theoretical risk, not an actual risk" and said there was no reason for anybody to consider deferring an implantation or removing a defibrillator.

There are no known cases of malicious tampering with somebody else's defibrillator, Dr. Maisel said. The authors withheld certain details of their experiment to prevent malicious people from repeating the procedure.

The study is the latest in a series that have found flaws in the security of wireless-communication systems -- from remote-control car keys, to Bluetooth telephone headsets, to the Wi-Fi technology used to connect to the Internet, to radio-frequency credit cards that can be "tapped" to make payments. But the prospect of remotely controlling somebody else's heart via radio waves rises to a different level, some said.

"I find it absolutely terrifying, the idea of having computer-controlled devices implanted in us," said Aviel Rubin, a professor of computer science at Johns Hopkins University who wasn't involved in the research. "If you can imagine what you might do in a very busy area, sending out a signal that would cause all of the people in the local area's implanted devices to start operating incorrectly, it's a really scary future we're headed towards."

Dr. Maisel and his collaborators -- Kevin Fu of the University of Massachusetts, and Tadayoshi Kohno of the University of Washington, both computer-science professors -- emphasized that the findings are as yet limited to one model of defibrillator made by Medtronic. They informed the Food and Drug Administration last month, they said.

In a statement, the agency said it had already been working on standards to raise the security of medical devices that receive instructions over radio waves but hadn't finalized them yet. "The chance of an ICD being reprogrammed by a computer hacker is extremely remote," said a spokeswoman, using the abbreviation for implanted defibrillator.

Medtronic acknowledged the report's findings but said the risk to patients was low. The company said it was gradually increasing the sophistication of devices to prevent unauthorized people from tampering with defibrillators, but said it was necessary to balance security with other factors. For example, if each defibrillator had its own password to prevent unauthorized access, a doctor might not be able to control it in an emergency situation, the company said.

Boston Scientific said it used encryption in its defibrillators, and doubted its devices could be hacked.

This copy is for your personal, non-commercial use only. Distribution and use of this material are governed by our Subscriber Agreement and by copyright law. For non-personal use or to order multiple copies, please contact Dow Jones Reprints at 1-800-843-0008 or visit www.djreprints.com.